b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n    Evaluation of DHS\' Information Security \n\n         Program for Fiscal Year 2009 \n\n\n                  (Redacted)\n\n\n\n\n\nOIG-09-109                          September 2009\n\x0c                                                                  Office of Inspector General\n\n                                                                  U.S. Department of Homeland\n                                                                  Security\n                                                                  Washington, DC 20528\n\n\n\n\n                                 September 23, 2009\n\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of controls over the information\nsecurity program and practices at DHS. It is based on interviews with selected program\nofficials at the department and components, direct observations, a review of applicable\ndocuments, and system testing.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is\nour hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\n                                         Richard L. Skinner \n\n                                         Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\n  Executive Summary ....................................................................................................................... 1 \n\n\n  Background .................................................................................................................................... 2 \n\n\n  Results of Independent Evaluation ................................................................................................ 4 \n\n\n  Recommendations........................................................................................................................ 17 \n\n\n  Management Comments and OIG Analysis ................................................................................ 18 \n\n\nAppendices\n  Appendix A:                Purpose, Scope, and Methodology.................................................................. 22\n\n  Appendix B:                Management Response to Draft Report.......................................................... 24\n\n  Appendix C:                DHS June and July 2009 FISMA Scorecards ................................................. 27 \n\n  Appendix D:                DHS June and July 2008 FISMA Scorecards ................................................. 28 \n\n  Appendix E:                FISMA System Inventory and Certification and Accreditation, Security\n                             Controls Testing, and Contingency Plan Testing ........................................... 29 \n\n  Appendix F:                Evaluation of Agency Oversight of Contractor Systems and Quality of\n                             Agency System Inventory............................................................................... 32 \n\n  Appendix G:                Evaluation of Agency Plan of Action and Milestones Process....................... 33 \n\n  Appendix H:                IG Assessment of the Certification and Accreditation Process ...................... 34 \n\n  Appendix I:                IG Assessment of Agency Privacy Program and Privacy Impact\n                             Assessment Process ........................................................................................ 35 \n\n  Appendix J:                Configuration Management ............................................................................ 36 \n\n  Appendix K:                Incident Reporting .......................................................................................... 37 \n\n  Appendix L:                Security Awareness Training and Peer-to-Peer File Sharing ......................... 38 \n\n  Appendix M:                Major Contributors to this Report................................................................... 39 \n\n  Appendix N:                Report Distribution ......................................................................................... 40 \n\n\nAbbreviations\n  ATO                        Authority to Operate    \n\n  C&A                        Certification and Accreditation   \n\n  CBP                        United States Customs and Border Protection \n\n  CIO                        Chief Information Officer \n\n  CIS                        Citizenship and Immigration Services      \n\n  CISO                       Chief Information Security Officer    \n\n  DHS                        Department of Homeland Security      \n\n  FDCC                       Federal Desktop Core Configuration      \n\n\n                           Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\x0cTable of Contents/Abbreviations \n\n  FEMA               Federal Emergency Management Agency\n  FIPS               Federal Information Processing Standards\n  FISMA              Federal Information Security Management Act\n  FLETC              Federal Law Enforcement Training Center\n  FY                 Fiscal Year\n  ICE                United States Immigration and Customs Enforcement\n  ISO                Information Security Office\n  ISSO               Information Systems Security Officer\n  IT                 Information Technology\n  Management         Management Directorate\n  NFRs               Notice of Findings and Recommendations\n  NIST               National Institute of Standards and Technology\n  OIG                Office of Inspector General\n  OMB                Office of Management and Budget\n  PIA                Privacy Impact Assessment\n  PII                Personally Identifiable Information\n  POA&M              Plan of Action and Milestones\n  PTA                Privacy Threshold Analysis\n  S&T                Science and Technology\n  SOC                Security Operations Center\n  SP                 Special Publication\n  Training Office    Information Security Training, Education, and Awareness Office\n  TSA                Transportation Security Administration\n  USCG               United States Coast Guard\n  USSS               United States Secret Service\n\n\n\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We reviewed the Department of Homeland Security (DHS\xe2\x80\x99)\n                information security program and practices to comply with the\n                requirements of the Federal Information Security Management Act of\n                2002 (Public Law 107-347, Sections 301-305). In evaluating DHS\xe2\x80\x99\n                progress in implementing its agency-wide information security\n                program, we reviewed the department\xe2\x80\x99s Plan of Action and Milestones\n                (POA&M), as well as its certification and accreditation (C&A)\n                processes. We also performed an evaluation of the department\xe2\x80\x99s\n                privacy program. Fieldwork was performed at both the program and\n                component levels.\n\n                The department continues to improve and strengthen its security\n                program. During the past year, DHS developed and implemented the\n                fiscal year (FY) 2009 information security performance plan to enhance\n                its security program, focusing on areas that the department would like\n                to improve upon throughout the year. Specifically, DHS identified in\n                the performance plan several key elements that are indicative of a\n                strong security program, such as POA&M weakness remediation,\n                quality of C&A, annual testing and validation, and security program\n                oversight. While these efforts have resulted in some improvements,\n                components are still not executing all of the department\xe2\x80\x99s policies,\n                procedures, and practices. For example, our review of DHS scorecards\n                for a two year period revealed that components have not maintained\n                their information security programs at the department\xe2\x80\x99s targeted\n                performance level. In addition, our review identified the following\n                more significant exceptions to a strong and effective information\n                security program:\n                \xef\xbf\xbd\t Systems are being accredited though key information is missing.\n                \xef\xbf\xbd\t POA&Ms are not being created for all known information security\n                     weaknesses.\n                \xef\xbf\xbd\t POA&M weaknesses are not being mitigated in a timely manner.\n                \xef\xbf\xbd\t Baseline security configurations are not being implemented for all\n                     systems.\n                Components\xe2\x80\x99 execution of DHS\xe2\x80\x99 policies, procedures, and practices\n                must be improved in order for the department to ensure that all\n                information security weaknesses are tracked and remediated, and to\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                              Page 1\n\x0c                enhance the quality of system C&A. Additional information security\n                program areas that need improvement include configuration\n                management, incident detection and analysis, specialized training, and\n                privacy.\n\n                We are making eight recommendations to the Chief Information Officer\n                and Chief Privacy Officer. The department concurred with all of our\n                recommendations and has already begun to take actions to implement\n                them. The department\xe2\x80\x99s response is summarized and evaluated in the\n                body of this report and included, in its entirety, as Appendix B.\n\nBackground\n                Due to the increasing threat to information systems and the highly\n                networked nature of the federal computing environment, the Congress,\n                in conjunction with the Office of Management and Budget (OMB),\n                requires an annual review and reporting of agencies\xe2\x80\x99 compliance with\n                the Federal Information Security Management Act (FISMA). FISMA\n                focuses on the program management, implementation, and evaluation\n                of the security of unclassified and national security systems.\n\n                Recognizing the importance of information security to the economic\n                and national security interests of the United States, the Congress\n                enacted Title III of the E-Government Act of 2002 (Public Law\n                107-347, Sections 301-305) to improve security within the federal\n                government. Information security means protecting information and\n                information systems from unauthorized access, use, disclosure,\n                disruption, modification, or destruction. Title III of the E-Government\n                Act, entitled FISMA, provides a comprehensive framework to ensure\n                the effectiveness of security controls over information resources that\n                support federal operations and assets.\n\n                FISMA requires each federal agency to develop, document, and\n                implement an agency-wide security program. The agency\xe2\x80\x99s security\n                program should protect the information and the information systems\n                that support the operations and assets of the agency, including those\n                provided or managed by another agency, contractor, or other source.\n                As specified in FISMA, agency heads are charged with conducting an\n                annual evaluation of information programs and systems under their\n                purview, as well as an assessment of related security policies and\n                procedures. Offices of Inspector General (OIG) must independently\n                evaluate the effectiveness of an agency\xe2\x80\x99s information security program\n                and practices on an annual basis.\n\n\n        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                          Page 2\n\x0c        OMB issued memorandum M-09-29, FY 2009 Reporting Instructions\n        for the Federal Information Security Management Act and Agency\n        Privacy Management, on August 20, 2009. The memorandum provides\n        updated instructions for agency and OIG reporting under FISMA. In\n        accordance with OMB\xe2\x80\x99s reporting instructions, this annual evaluation\n        summarizes the results of our review of DHS\xe2\x80\x99 information security\n        program and practices.\n\n        The Chief Information Security Officer (CISO) leads the Information\n        Security Office (ISO) and is responsible for managing DHS\xe2\x80\x99\n        information security program. To aid in managing its security program,\n        DHS developed a process for reporting and capturing known security\n        weaknesses in its POA&Ms. DHS uses an enterprise management tool\n        to collect and track data related to all POA&M activities, including\n        weaknesses identified during self-assessment and the C&A process.\n        DHS\xe2\x80\x99 enterprise management tool also collects data on other FISMA\n        metrics, such as the number of systems that have implemented DHS\xe2\x80\x99\n        security baseline configurations and the number of employees who\n        have received information technology (IT) security training.\n\n        In addition, DHS uses an enterprise-wide C&A tool to automate and\n        standardize portions of the C&A process to assist DHS components in\n        quickly and efficiently developing their security accreditation packages.\n        Below is an illustration on how the enterprise management and C&A\n        tools are used within the department to collect, manage, and report\n        information security metrics.\n\n                             DHS\xe2\x80\x99 Enterprise Security Management Tools Usage\n\n                 DHS 4300                                                               C& A Tool                                                           D a ta R e v iew T e a m s\n\n          F IS M A R e q u ire m e n ts                                     S y ste m S ec u rity P la n (S S P )                                                     DHS\n                                                                                                                                                                 C o m p lia n ce\n          O M B /N IS T G u id a n c e                              R e q u irem e n ts T ra c e a bility M atrix (R T M )                                          R e v ie w\n                                                                                                                                                                    Team s\n                                                                       S e c u rity A sse s sm e n t R e p o rt (S A R )\n          O th e r R e q u ire m e n ts\n                                                                              S am p le T e st P ro c e d u re s\n                        C o m p o n e nt IT S e c u rity                                                                                                              O IG\n                        P ro g ram Im plem e n ta tio n                               T e s t R e s u lts\n\n                                                                                  C o n tin g e nc y P lan s                   D a ta V e rific atio n\n                                           IT S y stem                                                                               a n d R ev ie w\n                                   Im p lem e n tatio n s                                                                                                       C o m p o n e n t/\n                                                                                                                                                                  D o m a in\n                                                                                                F u tu re L in k                                                    IS S M\n                   DHS\n              C o m p o n e n t/\n                                                                            F IS M A R e p o rtin g T o o l\n                 D o m a in\n\n                                                                     S y ste m a n d P ro g ram S ec u rity M e tric s\n                                         M o n th ly S tatu s\n                                         U p d a te s               P la n of A ctio n a nd M ile sto n e s (P O A & M )\n                                                                                                                             F IS M A R e p o rts                     OMB\n                                                                       A n n u a l A sse s sm e n t Q u e stio n n a ire\n\n                                                                          S um m a ry of C & A S ta tu s /D o c s\n\n                                                                                          R e p o rts\n\n                                                                                   D ig ita l D a sh b o a rd                 M e tric s\n                                                                                                                                                                   DHS\n                                                                                                                              D ig ita l D a s h b o a rd      M anagem ent\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                                Page 3\n\x0c                        Source: DHS 4300A Sensitive Systems Handbook, Attachment E \xe2\x80\x93 FISMA Reporting\nResults of Independent Evaluation\n                        Based on the requirements outlined in FISMA and OMB\xe2\x80\x99s annual\n                        reporting instructions, our independent evaluation focused on seven key\n                        areas of DHS\xe2\x80\x99 information security program, (i.e., system inventory;\n                        certification and accreditation process; plan of action and milestones\n                        process; configuration management; incident detection, handling, and\n                        analysis procedures; security training; and privacy). In addition to our\n                        independent evaluation, we conducted reviews of DHS\xe2\x80\x99 information\n                        systems and security program-related areas throughout FY 2009. This\n                        report includes the results of a limited number of systems evaluated\n                        during the year and our on-going financial statement review, including\n                        the LAN-A, OneNet, Los Angeles International Airport, and web server\n                        audits.1\n\n                        We separated the results of our evaluation into seven FISMA areas.\n                        For each area, we identified the progress that DHS has made since our\n                        FY 2008 evaluation and those issues that need to be addressed to be\n                        more successful in the respective information security program area.\n\n                OVERALL PROGRESS\n\n                        \xef\xbf\xbd\t The CISO developed the Fiscal Year 2009 DHS Information\n                           Security Performance Plan \xe2\x80\x9cMaintaining Excellence\xe2\x80\x9d to enhance\n                           its information security program, and to make continuous\n                           improvements on all existing processes. In addition, the CISO\n                           refined its FISMA scorecard metrics to better evaluate components\xe2\x80\x99\n                           compliance with the performance plan. See Appendix C and D for\n                           examples of the FISMA scorecard.\n                        \xef\xbf\xbd\t The CISO revised the department\xe2\x80\x99s baseline IT security policies and\n                           procedures in DHS Sensitive Systems Policy Directive 4300A and its\n                           companion, DHS 4300A Sensitive Systems Handbook to reflect the\n                           changes made in DHS security policies and various National\n                           Institute of Standards and Technology (NIST) guidance, such as\n                           assessing the effectiveness of controls implemented on information\n                           systems, and incorporating security into system life cycles.\n\n\n1\n Technical Security Evaluation of DHS Activities at Los Angeles International Airport (OIG-09-01,\nOctober 2008), Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n(OIG-09-55, April 2009), Improved Management and Stronger Leadership Are Essential to Complete the\nOneNet Implementation (OIG-09-98, September 2009), and Vulnerabilities Highlight the Need for More\nEffective Web Security Management (OIG-09-101, September 2009).\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                  Page 4\n\x0c        \xef\xbf\xbd\t   DHS continues to maintain an effective process in updating and\n             managing an inventory of its agency and contractor systems on an\n             annual basis. In addition, DHS updated its FISMA System\n             Inventory methodology to identify the Chief Financial Officer\n             designated systems.\n        \xef\xbf\xbd\t   The CISO implemented more stringent criteria when reviewing the\n             artifacts contained in accreditation packages. Once all the artifacts\n             are approved by the component CISO, DHS reviews the entire\n             accreditation package for consistency and completeness.\n        \xef\xbf\xbd\t   DHS improved on its Vulnerability Assessment Program as the\n             DHS Security Operations Center (SOC) now has full visibility at\n             Customs and Border Protection (CBP), Citizenship and\n             Immigration Services (CIS), Federal Law Enforcement Training\n             Center (FLETC), Management Directorate (Management), National\n             Protection and Programs Directorate (NPPD), Science and\n             Technology (S&T), and Transportation Security Administration\n             (TSA).\n        \xef\xbf\xbd\t   The CISO has taken actions to evaluate classified POA&Ms\n             maintained at the Federal Emergency Management Agency\n             (FEMA), Transportation Security Administration (TSA), and\n             United States Coast Guard (USCG).\n        \xef\xbf\xbd\t   DHS documented the deviations from the Federal Desktop Core\n             Configuration (FDCC) settings and components have taken steps to\n             implement the settings on Windows XP and Vista desktops and\n             laptops. Our testing results confirmed that FLETC had\n             implemented FDCC settings on its Windows XP workstations.\n\nOVERALL ISSUES TO BE ADDRESSED\n\n        Despite the progress made to the department\xe2\x80\x99s overall information\n        security program, components are still not executing fully the\n        department\xe2\x80\x99s policies, procedures, and practices. For example, our\n        review of DHS FISMA scorecards for the period June 2007 through\n        July 2009 revealed that components do not sustain their information\n        security programs on a year round basis or do not perform continuous\n        monitoring to maintain system accreditations and POA&Ms. For\n        example:\n        \xef\xbf\xbd\t Components\xe2\x80\x99 overall scores drop considerably following July\n            (FISMA reporting cut-off) and do not show any significant progress\n            until the months leading up to the subsequent annual FISMA\n            reporting. Furthermore, scores remain below the minimum\n            performance target (80%) for the majority of the year. Components\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 5\n\x0c                               are reaching outstanding performance levels (green) only at the time\n                               of FISMA reporting. See Figure 1.2\n\n\n\n\n                          \xef\xbf\xbd\t   To evaluate the effectiveness of components\xe2\x80\x99 continuous\n                               monitoring program, we selected two significant metrics from DHS\n                               scorecards: C&A and POA&Ms quality. As depicted in Figure 2,\n                               the scores for both metrics peak in the months of annual FISMA\n                               reporting (around July) and quickly drop in subsequent months.3\n                               As such, systems\xe2\x80\x99 C&A packages and POA&Ms are not being\n                               updated as required by the components.4 See Appendix C for June\n                               and July 2009 DHS scorecards and Appendix D for June and July\n                               2008.\n\n\n\n\n2\n  DHS could not provide the scorecards for the months of August 2007, September 2007, October 2008, and\nNovember 2008.\n3\n  DHS could not provide the scorecards for the months of October and November 2008.\n4\n  In accordance with NIST 800-37, \xe2\x80\x9ccontinuous monitoring\xe2\x80\x9d is the fourth phase of the C&A process (i.e., after\nthe information system has been certified and accredited). OMB noted in its FY09 FISMA reporting instructions\nthat \xe2\x80\x9cContinuous monitoring of security controls is a cost-effective and important part of managing enterprise\nrisk and maintaining an accurate understanding of the security risks confronting agency\xe2\x80\x99s information systems.\nContinuous monitoring of security controls is required as part of the security C&A process to ensure controls\nremain effective over time (e.g., after the initial authorization or reauthorization of an information system). A\nrobust and effective continuous monitoring program will ensure important procedures included in an agency\xe2\x80\x99s\naccreditation package (e.g., as described in system security plans, security assessment reports, and POAMs) are\nupdated as appropriate and contain the necessary information for authorizing officials to make credible\nrisk-based decisions regarding the security state of the information system on an ongoing basis.\n                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                     Page 6\n\x0c        In addition:\n\n        \xef\xbf\xbd\t   Artifacts supporting the component systems C&A were missing key\n             information to allow the accrediting officials to make a credible risk\n             based decision.\n        \xef\xbf\xbd\t   Components have not incorporated all known information security\n             weaknesses into their POA&Ms.\n        \xef\xbf\xbd\t   Components have not fully implemented DHS\xe2\x80\x99 baseline\n             configuration settings.\n        \xef\xbf\xbd\t   Components are not consistently maintaining and tracking their\n             classified POA&Ms.\n        \xef\xbf\xbd\t   Appropriate training is needed for all individuals with significant\n             security responsibilities.\n        \xef\xbf\xbd\t   An escalation process is needed for privacy impact assessments\n             (PIA) that have been in the review and approval process for more\n             than six months.\n\nSystem Inventory\n\n        DHS maintains an effective process to update and manage its systems\n        inventory on an annual basis, including agency and contractor systems.\n        In addition, DHS conducts site visits to identify systems that were not\n        included in the department\xe2\x80\x99s annual inventory update process.\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 7\n\x0c                         PROGRESS\n\n                         \xef\xbf\xbd\t   DHS continues to maintain a comprehensive inventory of its major\n                              applications and general support systems, including contractor\n                              systems. In addition, DHS updated its FISMA System Inventory\n                              methodology to identify the Chief Financial Officer designated\n                              systems. As of July 31, 2009, DHS identified 579 operational\n                              systems.\n\n                         ISSUES TO BE ADDRESSED\n\n                         \xef\xbf\xbd\t   We noted that a high percentage of systems are reported by\n                              components as \xe2\x80\x9cunder development\xe2\x80\x9d in DHS\xe2\x80\x99 enterprise\n                              management tool. As of June 30, 2009, components reported that\n                              57 general support systems and 130 major applications are \xe2\x80\x9cunder\n                              development.\xe2\x80\x9d This represents 32% of DHS operational systems\n                              and may indicate that components are not accurately reporting the\n                              life cycle status of their systems to the department.\n                         \xef\xbf\xbd\t   While CBP\xe2\x80\x99s classified laptop system is operational, the component\n                              reported it as \xe2\x80\x9cunder development\xe2\x80\x9d in DHS\xe2\x80\x99 enterprise management\n                              tool. CBP personnel indicated that they reported the system as\n                              \xe2\x80\x9cunder development\xe2\x80\x9d because the accreditation package was\n                              classified as \xe2\x80\x9csecret\xe2\x80\x9d and could not be uploaded into DHS\xe2\x80\x99\n                              enterprise management tool.\n                         \xef\xbf\xbd\t   The results of our web server audit revealed that \xe2\x80\x9ccbp.gov\xe2\x80\x9d has not\n                              been included in DHS\xe2\x80\x99 system inventory.5\n\n                         See Appendices E and F for system inventory and evaluation of DHS\xe2\x80\x99\n                         oversight of contractor systems and quality of system inventory.\n\n                Certification and Accreditation Process\n\n                         DHS follows the C&A process outlined in NIST Special Publication\n                         (SP) 800-37 to certify and accredit its systems. Components are\n                         required to use an enterprise-wide tool that incorporates NIST\n                         recommended security controls required for system C&A. The C&A\n                         process requires documentation, such as system security plans, risk\n                         assessments, system test and evaluation plans, security assessment\n\n\n5\n Vulnerabilities Highlight the Need for More Effective Web Security Management (OIG-09-101,\nSeptember 2009).\n                 Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                   Page 8\n\x0c                           reports, contingency plans, contingency plan test results, and\n                           self-assessments.\n\n                           For some of the systems that have been accredited by the components,\n                           the artifacts that are required to C&A a system were either missing or\n                           incomplete. In addition, some of the self-assessments were not being\n                           properly completed by the components. We identified a similar issue in\n                           our FY 2008 FISMA report.6\n\n                           PROGRESS\n\n                           \xef\xbf\xbd\t   DHS requires components to upload 11 C&A artifacts into its\n                                enterprise management tool to monitor the progress in accrediting\n                                systems. The 11 artifacts are: Authority to Operate (ATO) letter,\n                                system security plan, security assessment report, risk assessment,\n                                security test and evaluation, contingency plan, contingency plan test\n                                results, Federal Information Processing Standards (FIPS) 199\n                                determination, E-authentication determination, privacy threshold\n                                analysis (PTA)/privacy impact assessment (PIA), and NIST\n                                SP 800-53 self-assessment.\n                           \xef\xbf\xbd\t   As of July 31, 2009, the CISO reported that 93 percent of DHS\xe2\x80\x99\n                                operational systems (540/579) have been certified and accredited.\n                           \xef\xbf\xbd\t   The quality of C&A packages has improved in FY 2009, when\n                                compared to FY 2008. Specifically, we identified fewer instances\n                                where the required information was missing from security\n                                documents.\n\n                           ISSUES TO BE ADDRESSED\n\n                           \xef\xbf\xbd\t   We selected 35 systems from 12 components and offices to evaluate\n                                the quality of DHS\xe2\x80\x99 C&A process. Our review revealed that the\n                                component CISOs have not performed adequate reviews to ensure\n                                that the artifacts contain the required information to meet all\n                                applicable DHS, OMB, and NIST guidelines. For some of the\n                                systems that have been accredited by the components, the artifacts\n                                that are required to C&A a system were either missing or\n                                incomplete. Without this information, agency officials cannot make\n                                credible, risk-based decisions on whether to authorize the system to\n                                operate. Specifically:\n\n\n\n6\n    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 (OIG-08-94, September 2008).\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                     Page 9\n\x0c                 \xef\xbf\xbd We identified eight instances where the FIPS-199\n                   determination was not completed and four instances where\n                   FIPS-199 determination was outdated. The FIPS-199\n                   determination, when applied properly during the risk\n                   assessment process, helps agency officials to select\n                   applicable controls for the information systems.\n                 \xef\xbf\xbd Twenty-five instances were identified where system security\n                   plans were missing sections that describe detailed\n                   emergency configuration changes, management plans,\n                   security controls, and incident handling procedures. In\n                   addition, we noted four instances where the system security\n                   plans were outdated. The system security plan should be\n                   current, providing an overview of the information system,\n                   and describing the security controls implemented or planned\n                   to protect the system.\n                 \xef\xbf\xbd We identified seventeen instances where contingency plans\n                   were incomplete, missing the identification of alternate\n                   processing facilities or restoration procedures. Four of the\n                   contingency plans were more than three years old. An\n                   updated contingency plan can help agency officials to\n                   maintain or restore business operations, including computer\n                   operations, possibly at an alternate location, in the event of\n                   emergencies, system failures, or disaster.\n                 \xef\xbf\xbd The contingency plans for two \xe2\x80\x9chigh availability\xe2\x80\x9d systems\n                   had not been tested because the alternate processing\n                   facilities were not operational. Contingency plan testing\n                   identifies planning gaps and is also a training exercise to\n                   prepare recovery personnel for plan activation, which can\n                   improve plan effectiveness and overall agency preparedness.\n                   Untested plans may create a false sense of ability to recover\n                   operations in a timely manner.\n\n        \xef\xbf\xbd\t   As part of the C&A review, we also evaluated the quality of\n             completed NIST SP 800-53 self-assessments. For example, we\n             evaluated whether the components provided support for all\n             applicable controls as to how they were implemented. In addition,\n             we assessed whether supporting documentation existed for all\n             controls that were reported as \xe2\x80\x9ctested.\xe2\x80\x9d Finally, we evaluated the\n             adequacy of the justifications for any controls that were reported as\n             \xe2\x80\x9cnot applicable,\xe2\x80\x9d and whether a POA&M was created for all\n             required controls that had not been tested. Specifically:\n                 \xef\xbf\xbd We identified eighteen instances where controls, required by\n                   DHS and NIST, were missing from the self-assessments.\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 10\n\x0c                                 \xef\xbf\xbd We noted fifteen instances where required controls were not\n                                   tested; did not include validation and verification testing; or\n                                   were missing documentation to support that testing was\n                                   performed. Examples of these instances were found in the\n                                   areas of access control, configuration management,\n                                   contingency planning, and risk assessment.\n\n                        \xef\xbf\xbd\t   We reported in April 2009 that the LAN-A system was certified and\n                             accredited without the required security documents.7\n\n                        See Appendix H for our assessment of DHS\xe2\x80\x99 C&A process.\n\n                Plan of Action and Milestones Process\n\n                        DHS requires components to create and maintain POA&Ms for all\n                        known IT security weaknesses. DHS performs automated reviews on\n                        POA&Ms for accuracy and completeness and the results are provided\n                        to components on a daily basis. Despite these efforts, components are\n                        not entering and tracking all IT security weaknesses in DHS\xe2\x80\x99 enterprise\n                        management tool, nor is all of the data entered by the components\n                        accurate and updated in a timely manner. We identified a similar issue\n                        in our FY 2008 FISMA report.\n\n                        PROGRESS\n\n                        \xef\xbf\xbd\t   DHS had taken actions to evaluate classified POA&Ms maintained\n                             at FEMA, TSA, and USCG.\n                        \xef\xbf\xbd\t   Components have created POA&Ms for 135 of 140 (96%) notice of\n                             findings and recommendations (NFRs) for the weaknesses\n                             identified during the FY 2008 financial statement audit.\n                        \xef\xbf\xbd\t   Components have prioritized all unclassified POA&Ms in DHS\xe2\x80\x99\n                             enterprise management tool.\n\n                        ISSUES TO BE ADDRESSED\n\n                        \xef\xbf\xbd\t   Components are not correcting all deficiencies identified during\n                             DHS\xe2\x80\x99 POA&M quality reviews. Our review of DHS\xe2\x80\x99 quality\n                             reports identified repeated deficiencies, such as inaccurate\n                             milestones, lack of resources to mitigate the weaknesses, and delays\n                             in resolving the POA&Ms that are not corrected by the components.\n7\n Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A (OIG-09-55,\nApril 2009).\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                  Page 11\n\x0c        \xef\xbf\xbd\t   Components are not monitoring the status of their high priority\n             POA&Ms or reviewing them for consistency and completeness.\n             DHS requires component CISOs to monitor the progress of the\n             POA&M implementation and remediation efforts. Specifically,\n             component CISOs are required to review and approve all priority 4\n             and priority 5 POA&Ms to ensure that the weaknesses are properly\n             prioritized, and that appropriate resources have been identified for\n             remediation. Priority 4 weaknesses are assigned to initial audit\n             findings and priority 5 weaknesses for repeat audit findings. As of\n             June 30, 2009, only 320 out of 365 Priority 4 and 5 POA&Ms have\n             been reviewed and approved by a component CISO.\n        \xef\xbf\xbd\t   DHS components have not created POA&Ms for all known\n             information security weaknesses. Component CISOs and\n             Information Systems Security Officer (ISSOs) are responsible for\n             ensuring that POA&M information is entered accurately and that\n             weaknesses are mitigated timely. Component personnel cited a lack\n             of time and staff as the explanation that their POA&Ms are not\n             being updated regularly. For example,\n                 \xef\xbf\xbd Three components (CBP, Management, and TSA) did not\n                   create POA&Ms for findings identified in OIG audit reports\n                   issued during FY 2009.\n                 \xef\xbf\xbd Although six components (CBP, FEMA, ICE, NPPD, TSA,\n                   and USCG) followed a manual process for maintaining\n                   classified POA&Ms, not all components identified the\n                   source of the weaknesses or include the creation date,\n                   estimated completion dates, and the actual completion of the\n                   POA&Ms. In addition, there is no evidence of periodic\n                   updates, component CISO reviews, or that these weaknesses\n                   were properly prioritized.\n                 \xef\xbf\xbd Components are not creating POA&Ms for the weaknesses\n                   identified during the C&A process or from the NIST\n                   SP 800-53 self-assessments. As part of our C&A quality\n                   review, we evaluated whether POA&Ms had been created\n                   for any weakness that was identified during the C&A\n                   process, or from the NIST SP 800-53 self-assessment when\n                   controls had not been tested and where risks were not\n                   accepted. In 17 instances, POA&Ms were not created for\n                   the weaknesses identified during the C&A process.\n\n        \xef\xbf\xbd\t   Based on an analysis of data in DHS\xe2\x80\x99 enterprise management tool,\n             as of June 30, 2009, component CISOs and ISSOs are not\n             maintaining current information as to the progress of security\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 12\n\x0c             weakness remediation and all POA&Ms are not being resolved in a\n             timely manner.\n                 \xef\xbf\xbd Component management is not updating all weaknesses\n                   where the estimated completion date has been delayed. Of\n                   the 3,918 open POA&Ms with estimated completion dates,\n                   837 (21%) were delayed by at least 3 months (prior to\n                   April 1, 2009). Furthermore, 563 POA&Ms had an\n                   estimated completion date over one year old, dating as far\n                   back as December 31, 2005. In addition, completion dates\n                   for 226 of the 563 POA&Ms have not been updated since\n                   March 2006.\n                 \xef\xbf\xbd Resources required for the remediation of 298 (8%) of the\n                   3,918 open POA&Ms were either not identified or listed the\n                   cost of remediation as less than $50. DHS requires a\n                   reasonable resources estimate of at least $50 be provided to\n                   mitigate the weakness identified.\n                 \xef\xbf\xbd 238 (6%) of 3,918 open POA&Ms are scheduled to take\n                   more than 2 years to mitigate the weaknesses.\n        \xef\xbf\xbd\t   Based on our samples of the vulnerability assessment results\n             performed by DHS SOC, CIS had not created POA&Ms for the\n             high risk vulnerabilities that could not be mitigated timely.\n\n        See Appendix G for the evaluation of DHS\xe2\x80\x99 POA&M process.\n\nConfiguration Management\n\n        To evaluate components\xe2\x80\x99 compliance with DHS baseline configuration\n        requirements, we determined whether required configuration settings\n        had been implemented on the 50 systems selected for our C&A and\n        configuration management reviews. For the systems selected for the\n        C&A review, we performed testing to determine whether DHS baseline\n        configuration settings were implemented on selected servers. For the\n        systems selected for our configuration assessment, we verified whether\n        NIST SP 800-53 controls and DHS baseline configuration settings were\n        implemented on selected servers. Our review also includes the results\n        of a limited number of systems evaluated during the year, such as the\n        LAN-A, OneNet, Los Angeles International Airport, and web server\n        audits. Results revealed that the components have not implemented all\n        of the required DHS baseline configuration settings. We reported a\n        similar issue in our FY2008 FISMA report.\n\n        PROGRESS\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 13\n\x0c        \xef\xbf\xbd\t   DHS documented the deviations from FDCC settings. In addition,\n             components are in various stages of implementing the settings on\n             their Windows XP and Vista desktops and laptops. Components are\n             scheduled to complete the implementation by FY2011. Our testing\n             results confirmed that FLETC had implemented FDCC settings on\n             its Windows XP desktops and laptops.\n        \xef\xbf\xbd\t   DHS updated the baseline configuration guidelines for Oracle\n             database, Windows XP, Windows 2003 Server, Windows 2008\n             Server, and Windows Vista.\n\n        ISSUES TO BE ADDRESSED\n\n        \xef\xbf\xbd\t   Components indicated that automated tools are needed to ensure\n             that DHS baseline configuration settings are implemented\n             consistently and more efficiently throughout the department.\n        \xef\xbf\xbd\t   DHS has not implemented the FDCC requirements, as outlined in\n             OMB Memorandums M-07-11, Implementation of Commonly\n             Accepted Security Configurations for Windows Operating Systems,\n             March 22, 2007, and M-07-18, Ensuring New Acquisitions Include\n             Common Security Configurations, June 1, 2007. For example, DHS\n             has not incorporated the standard FDCC contract language into all\n             IT acquisitions. CBP, CIS, FLETC, ICE and TSA have not\n             incorporated the standard language into their IT contracts.\n        \xef\xbf\xbd\t   The majority of components, including Management, have yet to\n             implement FDCC security settings.\n        \xef\xbf\xbd\t   Components have not implemented DHS baseline configuration\n             settings on the systems reviewed. Specifically:\n                 \xef\xbf\xbd Results from our C&A and configuration reviews indicated\n                   that DHS\xe2\x80\x99 baseline configuration settings have not been\n                   implemented on the systems. For example, components\n                   have not implemented warning banners, enforced password\n                   complexities, or enabled audit trail policies.\n                 \xef\xbf\xbd Vulnerability assessments performed at components during\n                   our LAN-A, OneNet, Los Angeles International Airport, and\n                   web server audits identified security concerns with access\n                   control, identification and authentication, and configuration\n                   management. In these instances, components had not\n                   configured their systems based on DHS\xe2\x80\x99 configuration\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 14\n\x0c                                      guidelines. Components included CBP, CIS, FEMA, ICE,\n                                      Management, NPPD, TSA, USCG, and USSS.8\n\n                         \xef\xbf\xbd\t   Weak internal IT controls related to financial management systems\n                              were found during the audit of the department\xe2\x80\x99s consolidated\n                              financial statements for FY 2008.9 Security concerns included\n                              inadequate access controls, application controls, software\n                              development, and change controls.\n\n                         See Appendix J for information regarding DHS\xe2\x80\x99 configuration\n                         management.\n\n                Incident Detection, Handling, and Analysis Procedures\n\n                         DHS has established adequate incident detection, handling, and\n                         analysis procedures, but has not fully implemented its vulnerability\n                         assessment program across the department.\n\n                         PROGRESS\n\n                         \xef\xbf\xbd\t   DHS continues to implement its Vulnerability Assessment Program\n                              as the DHS SOC has full visibility to perform scans on workstations\n                              and servers at CBP, CIS, DHS HQ, FLETC, and TSA.\n\n                         ISSUES TO BE ADDRESSED\n\n                         \xef\xbf\xbd\t   FLETC, NPPD, OIG, and S&T did not submit weekly incident\n                              reports to the DHS SOC, as required. Furthermore, the DHS SOC\n                              does not follow-up with these components to obtain the missing\n                              reports.\n                         \xef\xbf\xbd\t   DHS\xe2\x80\x99 vulnerability assessment program has not been deployed\n                              department-wide. The program includes a comprehensive\n                              vulnerability alert, assessment, remediation, and reporting process\n                              to effectively identify computer security vulnerabilities and track\n                              mitigation efforts to resolution. The DHS SOC only has limited\n                              access at FEMA and ICE, and cannot perform vulnerability\n\n\n8\n  Technical Security Evaluation of DHS Activities at Los Angeles International Airport (OIG-09-01,\n\nOctober 2008), Better Monitoring and Enhanced Technical Controls Are Needed to Effectively Manage LAN-A\n\n(OIG-09-55, April 2009), Improved Management and Stronger Leadership Are Essential to Complete the \n\nOneNet Implementation (OIG-09-98, September 2009), and Vulnerabilities Highlight the Need for More \n\nEffective Web Security Management (OIG-09-101, September 2009). \n\n9\n  Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit (OIG-09-50, \n\nApril 2009). \n\n                 Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                   Page 15\n\x0c                          assessments on their workstations and servers. Finally, the DHS\n                          SOC has no access at OIG, USCG, and USSS.\n                     See Appendix K for information regarding DHS\xe2\x80\x99 incident reporting.\n\n            Security Training\n\n                     DHS validates components\xe2\x80\x99 employee security training. The\n                     department\xe2\x80\x99s Information Security Training, Education, and Awareness\n                     Office (Training Office) has not developed a specific training program\n                     for employees with significant security responsibilities.\n\n                     PROGRESS\n\n                     \xef\xbf\xbd\t   The Training Office has initiated a process requiring components to\n                          identify all personnel with significant IT security-related\n                          responsibilities.\n\n                     ISSUES TO BE ADDRESSED\n\n                     \xef\xbf\xbd\t   The Training Office has not identified appropriate, specialized\n                          security training for employees and contractors with significant IT\n                          security responsibilities. We reported a similar issue in our\n                          FY2006, FY2007, and FY2008 FISMA reports.10\n                     \xef\xbf\xbd\t DHS contractors do not have access to DHScovery or the\n                        standardized security awareness training offered by the system.\n                     See Appendix L for information regarding DHS\xe2\x80\x99 security awareness\n                     training.\n\n            Privacy\n\n                     The Privacy Office continues to refine its PIA guidance. However, the\n                     Privacy Office continues to experience delays in reviewing and\n                     approving PIAs submitted by the components and has not implemented\n                     all requirements specified in OMB M-07-16, Safeguarding Against and\n                     Responding to the Breach of Personally Identifiable Information,\n                     May 22, 2007. We reported a similar issue in our FY2008 FISMA\n                     report.\n\n\n\n10\n  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2006 (OIG-06-62, September 2006),\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2007 (OIG-07-77, September 2007), and\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2008 (OIG-08-94, September 2008).\n            Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                              Page 16\n\x0c        PROGRESS\n\n        \xef\xbf\xbd\t   The Privacy Office has issued new policies since our last review.\n             For example, the Privacy Office issued:\n                 \xef\xbf\xbd Handbook for Safeguarding Sensitive Personally\n                   Identifiable Information at DHS to provide step by step\n                   instructions on how to protect personal information.\n                 \xef\xbf\xbd DHS Policy Regarding Privacy Impact Assessments\n                   Memorandum to set forth the Privacy Officer\xe2\x80\x99s requirements\n                   to perform the privacy assessments.\n                 \xef\xbf\xbd DHS Policy Regarding Fair Information Practice Principles\n                   to reiterate that the Fair Information Practice Principles as\n                   the foundational principles for DHS\xe2\x80\x99 privacy policy.\n                 \xef\xbf\xbd DHS Privacy Policy Regarding Collection, Use, Retention,\n                   and Dissemination of Information on Non-U.S. Persons to\n                   set forth the policy to protect the privacy information of\n                   non-U.S. persons collected, used, retained, and/or disseminated\n                   by the department.\n\n        ISSUES TO BE ADDRESSED\n\n        \xef\xbf\xbd\t DHS has not implemented all of the requirements outlined in\n           OMB M-07-16. Specifically, DHS has not defined the\n           consequences for users who do not comply with the policy. The\n           Privacy Office is working in conjunction with the Office of General\n           Counsel and the Chief Human Capital Office to develop the\n           consequences of non-compliance policy.\n        \xef\xbf\xbd\t DHS\xe2\x80\x99 Privacy Office is experiencing delays in reviewing and\n           approving PIAs. As of June 15, 2009, there were 99 PIAs in\n           various stages of review; the PIAs for 3 operational systems had\n           been outstanding for more than 230 days.\n        See Appendix I for DHS\xe2\x80\x99 Privacy Program and Privacy Impact\n        Assessment Process.\n\nRecommendations\n        We recommend that the DHS Chief Information Officer:\n        Recommendation #1: Improve the ISO\xe2\x80\x99s review process to ensure that\n        all POA&Ms, including those POA&Ms for classified systems, are\n        complete, accurate, and current. Specifically, components must correct\n        the POA&M deficiencies identified by the ISO review.\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 17\n\x0c        Recommendation #2: Ensure that all applicable controls are included\n        in the security document when certifying and accrediting systems.\n        Systems accredited with outdated documents or without all applicable\n        controls should not be accepted.\n        Recommendation #3: Improve the process to ensure that DHS baseline\n        configuration requirements are implemented and maintained on all\n        systems. The process should include testing and the use of automated\n        tools and security templates to ensure that DHS baseline configuration\n        settings are implemented.\n        Recommendation #4: Expedite the implementation of a\n        department-wide vulnerability assessment program to perform periodic\n        testing to evaluate the security posture at all components. POA&Ms\n        should be created for any high risk vulnerabilities that can not be\n        mitigated timely.\n        Recommendation #5: Establish appropriate training that is needed for\n        all individuals with significant security responsibilities to perform their\n        security functions.\n        Recommendation #6: Evaluate and revise the department\xe2\x80\x99s current\n        FDCC implementation strategy to ensure the requirements outlined in\n        OMB M-07-11 and M-07-18 are implemented expeditiously.\n\n        We recommend that the DHS Chief Privacy Officer:\n        Recommendation #7: Establish an escalation process for any PIAs that\n        have been in the review and approval process for an extended period of\n        time.\n        Recommendation #8: Define the consequences of non-compliance by\n        system users, in accordance with the requirements outlined in OMB\n        M-07-16.\n\nManagement Comments and OIG Analysis\n        DHS concurred with recommendation 1. DHS has taken actions to\n        improve the ISO review process to ensure that all POA&Ms, including\n        those POA&Ms for classified systems, are complete, accurate, and\n        current. Improvements include the implementation of automated\n        POA&M quality review checks performed daily and conducting\n        reviews of POA&Ms to ensure that results from Annual Assessments,\n        Information Technology Acquisition Reviews, and Enterprise\n        Architecture Center of Excellence Reviews and OMB A-123 reviews\n        are included.\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 18\n\x0c        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n\n        DHS concurred with recommendation 2. The certification and\n        accreditation (C&A) document templates and applicable controls are\n        generated by the DHS C&A Tool at the time the C&A is initiated.\n        Additionally, the required C&A documents are reviewed by the ISO to\n        ensure that all applicable controls are adequately addressed. The\n        document review team has been instructed not to accept any outdated\n        templates or documents without applicable controls in place.\n\n        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n\n        DHS concurred with recommendation 3. Components are required to\n        validate 10% of their systems quarterly to ensure configuration\n        requirements are being implemented and maintained. Additionally, the\n        DHS FY10 Information Security Scorecard will show configuration\n        management status based on component quarterly updates. DHS plans\n        to complete periodic reviews of the component\'s process to ensure the\n        validation is thorough and complete as part of our program review. The\n        department also continues to research potential enterprise-level tools to\n        support configuration management.\n\n        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n\n        DHS concurred with recommendation 4. The DHS SOC is responsible\n        for implementing the department-wide Vulnerability Assessment\n        Tracking (VAT) Program. The DHS SOC has vulnerability assessment\n        scanning capabilities within DHS Headquarters and has deployed\n        distributed scanning servers within most of the components.\n        Implementation of the scanners at the remaining components is in\n        progress. The DHS VAT Program requires at least one annual baseline\n        scan of 100% of DHS systems. POA&Ms are required to be created for\n        any high risk vulnerabilities identified that can not be mitigated timely.\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 19\n\x0c        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n        DHS concurred with recommendation 5. DHS has begun to develop a\n        role-based training package for component CIO\'s implementation to\n        ensure the required security training of individuals with significant\n        security responsibilities. The department performs training for\n        individuals with significant security responsibilities as part of\n        agency-wide and component sponsored security conferences and\n        workshops. Additionally, several components have established their\n        own role-based training for personnel with significant security\n        responsibilities and invite other components to participate.\n\n        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n\n        DHS concurred with recommendation 6. DHS continues to make\n        progress in implementing the FDCC requirements outlined in OMB\n        M-07-11 and M-07-18. DHS has published the revised DHS Hardening\n        Guide to incorporate the FDCC requirements for Windows XP and\n        Vista.\n\n        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n\n        DHS concurred with recommendation 7. The Privacy Office is refining\n        its escalation policy for addressing concerns with outstanding privacy\n        compliance documentation. Once the Chief Privacy Officer approves\n        that policy it will be distributed to the Component Privacy Officers and\n        privacy points of contact. The Privacy Office anticipates the\n        publication of the policy prior to the end of the calendar year.\n        Additionally, the Privacy Office has increased the amount of\n        component specific training being conducted in an effort to shorten the\n        amount of time required for a PIA to be completed.\n\n        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until DHS provides documentation to\n        support that all planned corrective actions are completed.\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 20\n\x0c        DHS concurred with recommendation 8. The Chief Privacy Officer\n        satisfied her part of the requirement outlined in OMS M-07-l6 by\n        issuing the Handbook for Safeguarding Sensitive Personally\n        Identifiable Information at DHS on October 31, 2008. A memo to all\n        employees was sent in December 2008 with a link to the rules. These\n        are considered the "rules" associated with the requirement for "rules\n        and consequences."\n\n        We agree that the steps that DHS is taking, and plans to take, begin to\n        satisfy this recommendation. We consider this recommendation\n        resolved and will remain open until the consequences of\n        non-compliance policy, which the Privacy Office is working on in\n        conjunction with the Office of General Counsel and the Chief Human\n        Capital Office to develop, is finalized.\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                  Page 21\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                    The objective of this review was to determine whether DHS has developed\n                    adequate and effective information security policies, procedures, and\n                    practices, in compliance with FISMA. In addition, we evaluated DHS\xe2\x80\x99\n                    progress in developing, managing, and implementing its information security\n                    program.\n\n                    Our independent evaluation focused on DHS\xe2\x80\x99 information security program\n                    and practices, based on the requirements outlined in FISMA and, using OMB\n                    Memorandum M-09-29, FY 2009 Reporting Instructions for the Federal\n                    Information Security Management Act and Agency Privacy Management,\n                    issued on August 20, 2009. We conducted our work at the program level and\n                    at DHS\xe2\x80\x99 major components: CBP, CIS, FEMA, FLETC, ICE, Management,\n                    NPPD, OIG, S&T, TSA, USCG, and USSS.\n\n                    In addition to our independent evaluation, we conducted reviews of DHS\xe2\x80\x99\n                    information systems and security program-related areas throughout FY 2009.\n                    This report includes the results of a limited number of systems evaluated\n                    during the year and our on-going financial statement review, including the\n                    LAN-A, OneNet, Los Angeles International Airport, and Web server audits.\n\n                    As part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we assessed DHS\n                    and its components\xe2\x80\x99 compliance with the security requirements mandated by\n                    FISMA and other federal information systems\xe2\x80\x99 security policies, procedures,\n                    standards, and guidelines including NIST SP 800-37, and FIPS-199.\n                    Specifically, we: (1) used last year\xe2\x80\x99s FISMA independent evaluation as a\n                    baseline for this year\xe2\x80\x99s review and assessed the progress that DHS has made\n                    in resolving weaknesses previously identified; (2) focused on reviewing DHS\xe2\x80\x99\n                    POA&M process to ensure that all security weaknesses are identified, tracked,\n                    and addressed; (3) reviewed policies, procedures, and practices that DHS has\n                    implemented at the program level and at the component level; (4) evaluated\n                    processes (i.e., system inventory, C&A, security training, and incident\n                    response that DHS has implemented as part of its agency-wide information\n                    security program); and, (5) developed our independent evaluation of DHS\xe2\x80\x99\n                    information security program.\n\n                    We reviewed the quality of C&A packages for a sample of 35 systems at 12\n                    components and offices: CBP, CIS, FEMA, FLETC, ICE, Management,\n                    NPPD, OIG, S&T, TSA, USCG, and USSS, to ensure that all of the required\n                    documents were completed prior to system accreditation. In addition, we\n                    evaluated the implementation of DHS\xe2\x80\x99 baseline configurations and\n                    compliance with selected NIST SP 800-53 controls for 20 systems at CBP,\n                    CIS, FEMA, FLETC, ICE, Management, NPPD, S&T, TSA, USCG,\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                 Page 22\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                    and USSS.\n\n                    We conducted our evaluation between April and August 2009 under the\n                    authority of the Inspector General Act of 1978, as amended, and according to\n                    the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on\n                    Integrity and Efficiency. Major OIG contributors to the evaluation are\n                    identified in Appendix L.\n\n                    The principal OIG points of contact for the evaluation are Frank Deffer,\n                    Assistant Inspector General, Office of Information Technology at\n                    (202) 254-4100 and Edward G. Coleman, Director, Information Security\n                    Audit Division at (202) 254-5444.\n\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                 Page 23\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                 Page 24 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                 Page 25 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                 Page 26 \n\n\x0cAppendix C\nDHS June and July 2009 FISMA Scorecards\n\n\n\n\n               Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                Page 27 \n\n\x0cAppendix D\nDHS June and July 2008 FISMA Scorecards\n\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                 Page 28 \n\n\x0cAppendix E\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n                                                                    Question 1: System Inventory\n1. Identify the number of agency and contractors systems by component and FIPS 199 impact level (low, moderate, high). Please also identify the number of systems\nthat are used by your agency but owned by another federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level.\n\n                                 Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of\nsystems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested within in\naccordance with policy.\n\n                                                                Question 1                                                                Question 2\n                              a.                    b.                       c.                       d.                  a.                   b.                   c.\n                        Agency Systems          Contractor            Systems Used by          Total Number of        Number of            Number of           Number of\n                                                 Systems               the Agency but             Systems          systems certified      systems for         systems for\n                                                                      Owned by Another          (Agency and         and accredited       which security           which\n                                                                           Agency                Contractor                              controls have        contingency\n                                                                                                  systems)                              been tested and     plans have been\n                                                                                                                                        reviewed in the         tested in\n                                                                                                (Column A +                                past year        accordance with\n                                                                                                 Column B)                                                        policy\n\n          FIPS 199\n                                                                                                         Total\nBureau     System                 Number                Number                  Number         Total                Total    Percent     Total   Percent     Total   Percent\n                       Number               Number                    Number                            Number\n Name      Impact                Reviewed              Reviewed                Reviewed       Number               Number    of Total   Number   of Total   Number   of Total\n                                                                                                       Reviewed\n            Level\n CBP        High         18         10         1            0            0          0           19        10          10      100%        10      100%        10      100%\n          Moderate       30          3         1            0            0          0           31         3          3       100%        3       100%        3       100%\n             Low          0          0         1            1            0          0            1         1          1       100%        1       100%        1       100%\n          Undefined       0          0         0            0            1          1           1          0          0        0%         0        0%         0         0%\n          Sub-total      48         13         3            1            1          1           51        14          14      100%        14      100%        13       93%\nDNDO        High          0          0         0            0            0          0            0         0          0        0%         0        0%         0         0%\n          Moderate        1          0         0            0            0          0           1          0          0        0%         0         0%         0        0%\n             Low          0          0          0           0            0          0            0         0           0        0%         0        0%         0        0%\n          Sub-Total       1          0         0            0            0          0           1          0           0        0%         0        0%         0        0%\nFEMA        High         14          7          5           2            0          0           19         9           9      100%         8       89%         7       78%\n          Moderate       14          2         14           3            0          0           28         5           4       80%         4       80%         5      100%\n             Low          5          1          4           0            0          0            9         1           1      100%         1      100%         1      100%\n\n                                                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                                                  Page 29 \n\n\x0cAppendix E\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n         Sub-total    33       10        23           5           0           0          56         15          14      93%   13    87%   13    87%\nFLETC      High        0        0         0           0           0           0           0          0          0        0%   0      0%   0      0%\n         Moderate      7        2         2           1           0           0          9           3          3      100%   3    100%   3    100%\n           Low         0        0         0           0           0           0           0          0          0        0%   0      0%   0      0%\n         Undefined     1        0         0           0           0           0          1           0          0        0%   0      0%   0      0%\n         Sub-total    8         2        2            1           0           0          10          3          3      100%   3    100%   3    100%\n I&A       High        1        0         1           0           0           0           2          0          0        0%   0      0%   0      0%\n         Moderate      0        0         0           0           0           0          0           0          0        0%   0      0%   0      0%\n           Low         1        0         0           0           0           0           1          0          0        0%   0      0%   0      0%\n         Sub-total    2         0        1            0           0           0          3           0          0        0%   0      0%   0      0%\n ICE       High        9        3        14           3           0           0          23          6          5       83%   1     17%   6    100%\n         Moderate     16        2        24           2           0           0          40          4          4      100%   1     25%   4    100%\n           Low         7        0         5           0           0           0          12          0          0        0%   0      0%   0      0%\n         Sub-total    32        5        43           5           0           0          75         10          9       90%   2     20%   10   100%\n ISO       High        1        0         0           0           0           0           1          0          0        0%   0      0%   0      0%\n         Moderate      0        0         1           0           0           0           1          0          0        0%   0      0%   0      0%\n           Low         0        0         0           0           0           0           0          0          0        0%   0      0%   0      0%\n         Sub-total    1         0        1            0           0           0          2           0          0        0%   0      0%   0      0%\n RMC       High        6        3         8           2           0           0           4          5          5      100%   1     20%   3     60%\n         Moderate      4        2         4           1           0           0           8          3          3      100%   3    100%   2     67%\n           Low         0        0         1           0           0           0           1          0          0        0%   0      0%   0      0%\n         Undefined     1        0         0           0           0           0           1          0          0        0%   0      0%   0      0%\n         Sub-total    11        5        13           3           0           0          24          8          8      100%   3     38%   5     63%\nNPPD       High        2        0         6           4           0           0           8          4          4      100%   3     75%   3     75%\n         Moderate      5        0        10           0           0           0          15          0          0        0%   0      0%   0      0%\n           Low         1        1         1           0           0           0           2          1          1      100%   1    100%   1    100%\n         Sub-total    8         1        17           4           0           0          25          5          5      100%   4     80%   4     80%\n OIG       High        2        0         0           0           0           0           2          0          0        0%   0      0%   0      0%\n         Moderate      0        0         0           0           0           0           0          0          0        0%   0      0%   0      0%\n           Low         0        0         0           0           0           0           0          0          0        0%   0      0%   0      0%\n         Sub-total    2         0        0            0           0           0          2           0          0        0%   0      0%   0      0%\n OPS       High        1        0         1           0           0           0           2          0          0        0%   0      0%   0      0%\n         Moderate      1        0         0           0           0           0           1          0          0        0%   0      0%   0      0%\n\n                                              Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                                            Page 30 \n\n\x0cAppendix E\nFISMA System Inventory and Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n\n           Low         0        0         0           0           0           0           0          0          0        0%   0      0%   0      0%\n         Sub-total    2         0        1            0           0           0          3           0          0        0%   0      0%   0      0%\n S&T       High        2        0         1           0           0           0           3          0          0        0%   0      0%   0      0%\n         Moderate      4        2         5           1           0           0           9          3          3      100%   3    100%   3    100%\n           Low         1        0         5           0           0           0           6          0          0        0%   0      0%   0      0%\n         Sub-total    7         2        11           1           0           0          18          3          3      100%   3    100%   3    100%\n TSA       High       15        3         8           2           0           0          23          5          5      100%   5    100%   5    100%\n         Moderate     29        3        15           0           0           0          44          3          3      100%   3    100%   3    100%\n           Low         5        0         2           0           0           0           7          0          0        0%   0      0%   0      0%\n         Undefined     7        3         0           0           0           0           7          3          3      100%   2     67%   3    100%\n         Sub-total    56        9        25           2           0           0          81         11          11     100%   10    91%   11   100%\nUSCG       High       37        7         5           3           0           0          42         10          10     100%   8     80%   9     90%\n         Moderate     44        6        17           3           0           0          61          9          6       67%   4     44%   9    100%\n           Low        12        0         4           2           0           0          16          2          1       50%   1     50%   2    100%\n         Sub-total    93       13        26           8           0           0         119         21          17      81%   13    62%   20    95%\nUSCIS      High        0        0         1           0           0           0           1          0          0        0%   0      0%   0      0%\n         Moderate     61        3        32           7           0           0          93         10          10     100%   10   100%   10   100%\n           Low         0        0        2            0           0           0          2           0           0     0%     0    0%     0    0%\n         Sub-total    61        3        35           7           0           0          96         10          10     100%   10   100%   10   100%\nUSSS       High        9        3        0            0           0           0           9          3           3     100%   2    67%    3    100%\n         Moderate      3        0        0            0           0           0          3           0           0      0%    0     0%    0     0%\n           Low         1        0        0            0           0           0           1          0           0      0%    0     0%    0     0%\n         Sub-total    13        3        0            0           0           0          13          3           3     100%   2    67%    3    100%\nAgency\n           High       117      36        51          16           0           0         168         52          51     98%    38   73%    46   88%\nTotals\n         Moderate     219      25       125          18           0           0         344         43          39      91%   34   79%    42    98%\n           Low         33       2        25           3           0           0          58          5          4       80%   4    80%    5    100%\n         Undefined     9        3        0            0           1           1          9           3          3      100%   2    67%    3    100%\n           Total      378      66       201          37           1           1         579         103         97      94%   78   76%    96    93%\n\n\n\n\n                                              Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009 \n\n\n                                                                            Page 31 \n\n\x0cAppendix F\nEvaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n\n Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n\nThe agency performs oversight and evaluation to ensure information systems used or\noperated by a contractor of the agency or other organization on behalf of the agency\n                                                                                                         Response:\nmeet the requirements of FISMA, OMB policy and NIST guidelines, national security\npolicy, and agency policy.\n\n\nDoes the agency have policies for oversight of contractors? Yes/No                                           Yes\n\nIf the answer above is Yes, Is the policy implemented?                                                     Yes (a)\n\nThe agency has a materially correct inventory of major information systems (including\n                                                                                                             Yes\nnational security systems) operated by or under the control of such agency.\nYes/No\n\nDoes the agency maintain an inventory of interfaces between the agency systems and\nall other systems, such as those not operated by or under the control of the agency?                         Yes\nYes/No\n\nDoes the agency require agreements for interfaces between systems it owns or\noperates and other systems not operated by or under the control of the agency?                             Yes (b)\nYes/No\nThe IG generally agrees with the CIO on the number of agency-owned systems.\n                                                                                                             Yes\nYes/No\nThe IG generally agrees with the CIO on the number of information systems used or\noperated by a contractor of the agency or other organization on behalf of the agency.                        Yes\nYes/No\nThe agency inventory is maintained and updated at least annually.\n                                                                                                             Yes\nYes/No\nIf the IG does not indicate that the agency has a materially correct inventory, please identify any known\nmissing major systems by Component/Bureau, the Unique Project Identifier (UPI) associated with the systems\nas presented in the FY 2009 Exhibit 300 (if known), and indicate if the system is an agency or contractor\nsystem.\n                                                                 Exhibit 300 Unique        Agency or Contractor\n     Component/Bureau                  System Name\n                                                               Project Identifier (UPI)           System?\n                                                                                              Agency System\n             CBP                      WWW.CBP.GOV                                           Owned by Another\n                                                                                                  Agency\n\n\n\n\nNumber of known\nsystems missing from                 1 System Missing\nthe inventory:\n(a) Implementation of policy for contractor owned or operated systems needs improvement. \tDuring our C&A review and web\n    server audit, we identified instances where components did not ensure that the required vulnerability assessments or\n    configuration setting reviews are performed by the contractors.\n(b) During our C&A quality review, we found that some memorandum of agreements (MOAs) were out-dated or have yet to be\n    established.\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                         Page 32\n\x0cAppendix G\nEvaluation of Agency Plan of Action and Milestones Process\n\n\n         Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the agency has developed, implemented, and is managing an agency-wide\nplan of action and milestones (POA&M) process, providing explanatory detail in the area                        Response:\nprovided.\n\nHas the Agency developed and documented an adequate policy that establishes a POA&M\nprocess for reporting IT security deficiencies and tracking the status of remediation efforts?                   Yes (a)\nYes/No\n\nHas the Agency fully implemented the policy? Yes/No                                                              Yes(b)\n\nIs the Agency currently managing and operating a POA&M process? Yes/No                                           Yes (c)\n\nIs the agency\'s POA&M process an agency-wide process, incorporating all known IT security\nweakness, including IG/external audit findings associated with information systems used or\n                                                                                                                 Yes (d)\noperated by the agency or by a contractor of the agency or other organization on behalf of\nthe agency? Yes/No\n\nDoes the POA&M process prioritize IT security weakness to help ensure significant IT\nsecurity weaknesses are corrected in a timely manner and receive appropriate resources?                          No (e)\nYes/No\n\nWhen an IT security weakness is identified, do program officials (including CIOs, if they own\n                                                                                                                   Yes\nor operate a system) develop, implement, and manage POA&Ms for their system(s)? Yes/No\n\nFor Systems Reviewed:\n                                                                                                              a. Yes\na. Are deficiencies tracked and remediated in a timely manner? Yes/No\n                                                                                                              b. Yes\nb. Are the remediation plans effective for correcting the security weakness? Yes/No\n                                                                                                              c. Yes (f)\nc. Are the estimated dates for remediation reasonable and adhered to? Yes/No\nDo Program officials and contractors report their progress on security weakness remediation\n                                                                                                                 Yes (g)\nto the CIO on a regular basis (at least quarterly)? Yes/No\n\nDoes the Agency CIO centrally track, maintain, and independently review/validate POA&M\n                                                                                                                 Yes (h)\nactivities on at least a quarterly basis? Yes/No\n(a) DHS requires components to create and manage POA&Ms for all known IT security weaknesses.\n(b) As of June 30, 2009, DHS has 3,918 open POA&Ms. \tHowever, POA&Ms have not been created for all weaknesses\n    identified during the C&A process. Components are not consistently maintaining and tracking their classified POA&Ms.\n(c) DHS is managing and operating a POA&M process on its unclassified systems. However, components are not consistently\n    maintaining, tracking, or prioritizing their classified POA&Ms.\n(d) POA&Ms have not been created for all OIG audit findings. \tComponents have created POA&Ms for 162 out of 179 (91%)\n    recommendations cited in OIG audit reports (including Notice of Findings and Recommendations).\n(e) For classified POA&Ms, components have not identified the source of the weakness or included the milestones of the\n    POA&Ms. In addition, there is no evidence of periodic updates, component CISO reviews, or that these weaknesses were\n    properly prioritized.\n(f) Out of the 3,918 open POA&Ms, there are 837 POA&MS that are three months past due and 563 POA&MS that are 12\n    months past due. Our review also determined that 1,859 out of 3,918 (47%) open POA&Ms have been delayed.\n(g) DHS requires that all POA&M information be updated at least monthly. \tHowever, POA&Ms have not been updated on a\n    regular basis. For example, 1,488 out of 3,918 (38%) open POA&Ms have not been updated within the last 90 days.\n(h) The CIO regularly performs daily quality reviews (automated) on all POA&Ms to ensure that information entered into the\n    enterprise management system is accurate, reasonable, and complete. However, components are not entering and tracking all\n    IT security weaknesses in DHS\xe2\x80\x99 enterprise management tool, nor is all of the data entered by the components accurate and\n    updated in a timely manner.\n                           Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                          Page 33\n\x0cAppendix H\nIG Assessment of the Certification and Accreditation Process\n\n\n                   Question 5: IG Assessment of the Certification and Accreditation Process\n\nProvide a qualitative assessment of the agency\'s certification and accreditation\nprocess, including adherence to existing policy, guidance, and standards. Agencies\nshall follow NIST Special Publication 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems (May 2004) for certification and\naccreditation work initiated after May 2004. This includes use of the FIPS 199                             Response:\n(February 2004), Standards for Security Categorization of Federal Information and\nInformation Systems, to determine a system impact level, as well as associated NIST\ndocuments used as guidance for completing risk assessments and security plans.\nProvide explanatory detail in the area provided.\n\n\nHas the Agency developed and documented an adequate policy for establishing a\n                                                                                                             Yes (a)\ncertification and accreditation process that follows the NIST framework? Yes/No\n\n\nIs the Agency currently managing and operating a C&A process in compliance with\n                                                                                                               Yes\nits policies? Yes/No\n\n                                             Appropriate risk categories\n                                                                                                                X\n\n                                             Adequate risk assessments\n                                                                                                                X\n\nFor systems reviewed, does the\nC&A process adequately provide:              Selection of appropriate controls\n                                                                                                                X\n\n(check all that apply)\n                                             Adequate testing of controls\n                                                                                                                X\n\n                                             Regular monitoring of system risks and the\n                                                                                                                X\n\n                                             adequacy of controls\n\nFor systems reviewed, is the Authorizing Official presented with complete and\nreliable C&A information to facilitate an informed system Authorization to Operate                           Yes (b)\ndecision based on risks and controls implemented? Yes/No\n\n(a) DHS bases its certification and accreditation (C&A) process on NIST SP 800-37, Guide for the Security Certification and\n    Accreditation of Federal Information Systems, for its unclassified systems. Components are required to follow Department of\n    Defense (DoD) Information Assurance Certification and Accreditation Process when certifying and accrediting its classified\n    systems.\n(b) Based on our review of 35 systems across 12 components, artifacts that are required to C&A a system were either missing or\n    incomplete.\n\n\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n\n                                                           Page 34 \n\n\x0cAppendix I\nIG Assessment of Agency Privacy Program and Privacy Impact Assessment Process\n\n\n  Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\nProvide a qualitative assessment of the agency\'s process, as discussed in Section D,\nfor protecting privacy-related information, including adherence to existing policy,                       Response:\nguidance and standards. Provide explanatory information in the area provided.\n                                                                                                            Yes (a)\nHas the Agency developed and documented adequate policies that comply with OMB\nguidance in M-07-16, M-06-15, and M-06-16 for safeguarding privacy-related\ninformation? Yes/No\n                                                                                                              Yes\nIs the Agency currently managing and operating a privacy program with appropriate\ncontrols in compliance with its policies? Yes/No\n\n                                                                                                              Yes\nHas the Agency developed and documented an adequate policy for Privacy Impact\nAssessments? Yes/No/NA\n\nHas the Agency fully implemented the policy and is the Agency currently managing                              Yes\nand operating a process for performing adequate privacy impact assessments?\nYes/No/NA\n(a) DHS has not implemented all of the requirements outlined in OMB M-07-16. Specifically, DHS has not defined the\nconsequences for any users who do not comply with the policy. The Privacy Office is working in conjunction with the Office of\nGeneral Counsel and the Chief Human Capital Office to develop the consequences of non-compliance policy.\n\n\n\n\n                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n\n                                                           Page 35 \n\n\x0cAppendix J\nConfiguration Management\n\n\n                                         Question 7: Configuration Management\n\n\n                                                                                                               Response:\n\n\nIs there an agency-wide security configuration policy? Yes/No                                                      Yes\n\n\n                                                                                                           Tenable Security\nWhat tools, techniques is your agency using for monitoring compliance?\n                                                                                                               Center\n\n\nIndicate the status of the implementation of FDCC at your agency :\n                                                                                                                   Yes\n- Agency has documented deviations from FDCC standard configuration. Yes/No\n\n- New Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94\nAcquisition of Information Technology", is included in all contracts related to common                            No (a)\nsecurity settings. Yes/No.\n\n(a) DHS has not incorporated the standard FDCC contract language into all IT acquisitions. \t CBP, FLETC, ICE and TSA have\n    not incorporated the standard language into their IT contracts. While CIS indicated that they had incorporated the language\n    into their IT acquisitions, we could not identify the FDCC standard language in the contracts sampled.\n\n\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n\n                                                            Page 36 \n\n\x0cAppendix K\nIncident Reporting\n\n\n                                         Question 8: Incident Reporting\n\n\n                                                                                               Response:\n\nHow often does the agency comply documented policies and procedures for\n                                                                                               90-100%\nidentifying and reporting incidents internally? Answer will be a percentage range\n\n\nHow often does the agency comply with documented policies and procedures for\n                                                                                               90-100%\ntimely reporting of incidents to US CERT? Answer will be a percentage range\n\n\nHow often does the agency comply documented policy and procedures for reporting\n                                                                                               90-100%\nto law enforcements? Answer will be a percentage range\n\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n\n                                                     Page 37 \n\n\x0cAppendix L\nSecurity Awareness Training and Peer-to-Peer File Sharing\n\n\n\n                                        Question 9: Security Awareness Training\n\n                                                                                                               Response:\n\n\nHas the agency ensured IT security awareness training of all users with log in\n                                                                                                                 Yes. (a)\nprivileges, including contractors and those employees with significant IT security\nresponsibilities? Provide explanatory detail in the space provided.\n\n\nHas the Agency developed and documented an adequate policy for identifying all\ngeneral users, contractors, and system owners/employees who have log in privileges,                                Yes\nand providing them with suitable IT security awareness training? Yes/No/NA\n\nReport the following for your agency:\n                                                                                                         Unable to Determine\n                                                                                                                 (b)\nTotal number of people with log in privileges to agency systems\n\n\nNumber of people with log in privileges to agency systems that received information\nsecurity awareness training during the past fiscal year, as described in NIST Special                    Unable to Determine\nPublication 800-50, "Building an Information Technology Security Awareness and\nTraining Program" (October 2003).\n\n\n\nTotal number of employees with significant information security responsibilities.                                 2,701\n\n\nNumber of employees with significant security responsibilities that received\nspecialized training, as described in NIST Special Publication 800-16, \xe2\x80\x9cInformation\n                                                                                                                  2,535\nTechnology Security Training Requirements: A Role- and Performance-Based Model\xe2\x80\x9d\n(April 1998)\n\n\n\n\n                                          Question 10: Peer-to-Peer File Sharing\n\n\n                                                                                                               Response:\n\n\nDoes the agency explain policies regarding the use peer-to-peer file sharing in IT\n                                                                                                                   Yes\nsecurity awareness training, ethics training, or any other agency-wide training? Yes/No\n\n(a) DHS requires all employees and contractors to take security awareness training at least annually.\n(b) As of August 1, 2009, DHS has a total of 262,049 employees and contractors at various components. \tDHS does not maintain\n    a centralized list of users with log in privileges. Components are responsible for creating and maintaining user accounts for\n    its employees and contractors. As such, we are unable to determine the number of users with log in privileges.\n\n\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n\n                                                            Page 38 \n\n\x0cAppendix M\nMajor Contributors to this Report\n\n\n\n                      Information Security Audit Division\n\n                      Edward G. Coleman, Director\n                      Chiu-Tong Tsang, Audit Manager\n                      Barbara Bartuska, Audit Manager\n                      Mike Horton, Information Technology Officer\n                      Maria L. Rodriguez, Team Lead\n                      Aaron Zappone, Program Analyst\n                      Thomas Rohrback, IT Specialist\n                      Michael Kim, IT Auditor\n                      David Bunning, IT Specialist\n                      Joseph Landas, Management/Program Assistant\n                      Lauren Badley, Management/Program Assistant\n\n                      Pamela Chambliss-Williams, Referencer\n\n\n\n\n                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n                                                 Page 39\n\x0cAppendix N\nReport Distribution\n\n\n\n                        Department of Homeland Security\n\n                        Secretary\n                        Deputy Secretary\n                        Chief of Staff\n                        Deputy Chief of Staff\n                        General Counsel\n                        Executive Secretary\n                        Assistant Secretary for Legislative and Intergovernmental Affairs\n                        Assistant Secretary for Policy\n                        Assistant Secretary for Public Affairs\n                        Chief Information Officer\n                        Deputy Chief Information Officer\n                        Chief Financial Officer\n                        Chief Privacy Officer\n                        Chief Human Capital Officer\n                        Chief Information Security Officer\n                        Director, GAO/OIG Liaison Office\n                        Director, Compliance and Oversight Program, Office of CIO\n                        Deputy Director, Compliance and Oversight Program, Office of CIO\n                        Director, Privacy Compliance\n                        Chief Information Officer Audit Liaison\n                        Chief Information Security Officer Audit Liaison\n                        Privacy Office Audit Liaison\n                        Component CIOs\n                        Component CISOs\n\n                        Office of Management and Budget\n\n                        Chief, Homeland Security Branch\n                        DHS OIG Budget Examiner\n\n                        Congress\n\n                        Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2009\n\n\n                                                    Page 40 \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'